110 likes | 577 Views
Cyber Threat Intelligence Sharing Standards-based Repository. November 14, 2014. [Classification]. Cyber Intelligence Sharing. Sharing is Essential to the Industry and Core to the FS-ISAC Intelligence sharing is the primary method of: Detecting industry targeting
E N D
Cyber Threat Intelligence SharingStandards-based Repository November 14, 2014 [Classification]
Cyber Intelligence Sharing • Sharing is Essential to the Industry and Core to the FS-ISAC • Intelligence sharing is the primary method of: • Detecting industry targeting • Detecting institution targeting • Identifying new Techniques, Tactics and Procedures • Locating Advanced Persistent Threats • Issues Today with Sharing • Today the industry processes very little of the intelligence it receives • Manual, Time Consuming, Costly • Practicing cost avoidance • Industry average of 7 man hours to process a single intelligence document • Only a fraction of the documents are processed • Manually processing the entire CISCP document would cost over $10 million per Financial Institution Bad People Bad Things Bad Events Threat Intelligence
Cyber Intelligence Sharing • Solution • Let machines do machine work – process all intelligence at wire speed • Use standards whenever possible to support Machine-to-Machine (M2M) • DHS Sponsored Mitre standards, STIX & TAXII • Make intelligence more accessible to those with less resources • Small/ Medium Member Institutions • Little security resources available • Drive adoption through high-level service & ease of use for all types of member institutions • Innovate - Incrementally increase adoption, fidelity, and automation More on STIX Standards Right-click to open PDF
Today’s Threat Intelligence • Detail with Initial Cyber Intel Repository Early adopters integrate with the repository, sighting same malicious activity Although still unclear, there is a level of automation IP Address: 172.198.1.1 Member #2We also see this!! IP Address: 172.198.1.1 We just got pwned Manual Sharing – You can only process a handful threat indicators The threat landscape is opaque
Next Version of Cyber Intel Repository Member #1 IP Address: 172.198.1.1 Port 80 Sighting 8/5/18: Member #5 Sighting 8/8/18: Member #3 IP Address: 172.198.1.1 Port 80 Member #2We also see this!! Better capabilities with bi-directional machine-to-machine support Visibility and confirmation of the threat increases
Next Year IP Address: 172.198.1.1 Port 80 User-Agent: Foo Get Vars: fun=2 Actor: Abe Lincoln Alias: L1c0lN Campaign: Occupy Whitehouse Significant portion of large financial institutions share their threats Detail of malicious activity and actor becomes clearer
Security Standards Proliferation IP Address: 172.198.1.1 Port 80 User-Agent: Foo Get Vars: fun=2 Actor: Abe Lincoln Alias: L1c0lN Campaign: Occupy Whitehouse Multiple industries utilizing repositories sharing detailed sightings A clear picture of many malicious actors, activities, and threats
Logical Solution One firm’s incident is another firm’s defense • Federation of repositories serve as community hubs • Detection of a threat, instantly shared to trusted members • Cost to adversaries increased; cost to firms decreased Organization A 1 Detect a Threat 2 Enrich Threat Data Filter Policy for Sharing Machine-to-Machine API ISAC Repository 3 Store, Maintain Trust, Build Confidence in Threat Data Machine-to-Machine API 4 Consume & Analyze ISAC – Information Sharing Analysis Center FI – Financial Institution US-CERT – US Computer Emergency Response Team 5 Actionable Intel = Proactive Defense Many Other Organizations
Benefits • Save Time Lower Costs Reduce Risk • One Firm’s Incident/ Exploit becomes Another’s Control/ Defense • Less time & effort needed to: • Aggregate, Store, Understand Threat Data • Enrich/ Increase Fidelity of Threat Data • Communicate Threat Data • Action to Defend or Mitigate • Security analysts would focus on analysis instead of machine work • Reinvest time to improve risk posture • Improving analytics of threats, linking TTPs to indicators, identifying new tool kits • Become more pre-emptive, breaking the kill-chain earlier • Better intelligence better defense increases cost of malicious activity Moving to the Left of the Hack Eliminates Threats Before Being Compromised
Where We are Today • Active working group, multiple meetings per month, interest and adoption growing across multiple industries and countries • Working closely with DHS, US-CERT, and Mitre to create and align intelligence sharing standards • Launched initial Repository– more coming • Version 1: released in May • First standards based repository, first TAXII implementation • Tracking 37,000 Indicators • Version 2: release in Fall 2013 • Full STIX backend, supporting all STIX object types • Bi-directional TAXII support • Visit our webpage for more information • www.fsisac.com/CyberIntelligenceRepository Right-click to open PDF